Best Of
Re: Migration from SonicWall
@khodgson_bts login via SSH to the NSA 4600 and do the following
no cli pager session configure show current-config
If you dont wanna connect via SSH you can download the TSR from the Diagnostics page which contains the config as well.
At least you can see in clear text what is configured and can work your way up.
--Michael@BWC
BWC
SonicWall's New SecureFirst Partner Program
SonicWall recently announced the introduction of its newly enhanced SecureFirst Partner Program to its existing and prospective North American customers, which is a culmination of actively listening to its partner community and implementing requested and recommended changes.
Incorporating invaluable feedback from across the partner community, SonicWall’s development of the new partner program focuses on key areas that matter most to MSPs and MSSPs. Those include:
- Simplifying Business: Partners can get started accessing SonicWall partner benefits without having to dive into training or business planning commitments.Providing a range of flexible options, partners can tailor the collaboration to suit its specific needs and experience the recent enhancements to the partner portal.
- Enhanced Flexibility: New procurement options that fit both business and customer needs — whether that’s through prepaid subscriptions offered at a discount, or our no-commitment monthly service provider model.
- Personalized Dedicated Support: SonicWall knows how important technical support is to our partners and customers. One key aspect of the program is providing direct, immediate access to level 2 or tier 3 agents.
- New Tiered Tracks: Tiered tracks will be used to accommodate varying business sizes and objectives. This will include an introduction of two distinct tiered tracks — Velocity and Mastery. Velocity will be offered to partners looking to engage with minimal requirements, while Mastery partners will receive all incentives, resources and benefits.
- Unbeatable New Business Investment: Customer acquisition is costly, and SonicWall is prepared to share those costs via aggressive discount levels for any new accounts. These discounts are available for ALL tiers, empowering each of our partners to pursue new business opportunities with a competitive edge.
- Exclusive Access to Learning Tools: SonicWall University offers flexible training options designed for professionals on the go. Partners can learn to position, sell and deploy the SonicWall portfolio with product-specific courseware, specializations and industry-recognized certifications.
To learn more visit: https://www.sonicwall.com/partners/
Re: Mobile Connect 5.0.14 for iOS seems to be broken
The issue is observed with Mobile Connect 5.0.14 when used in conjunction with Gen5, Gen6 and Gen7 firewalls, even with latest firmware versions. Our engineering team is working on the issue and and as a temporary measure the application has been pulled down from the App Store.
MustafaA
Re: Multi-Site VPN Configuration (Diagram Included)
Fully meshed [VPN tunnels between every site] will give the best performance and redundancy.
Routing all traffic via a "central" Sonicwall will be the least complex to manage, but will require capacity at that central location which then becomes a point of failure.
Swings and roundabouts. Take your pick.
Re: Probing failure on NAT static ip/WLB Resource Failed
I suggest you monitor the firewall remotely [eg Pingdom, F8lure] and see if it matches up with what the firewall says. I've never known F&LB monitoring to lie - when it says a target is down, it's down.
What are your probe monitoring targets? With one large site [8k peak users] we couldn't use 8.8.8.8 as a ping monitoring target because of the volume of DNS traffic. Maybe your probe monitoring target is less reliable than your WAN. In that case, the WAN wouldn't be used, even though it's really up.
I always have two targets and tell it to fail only when both are down.
Re: SD-WAN VS Site-to-Site VPN
@MvV , what @TKWITS is referring to is like the below and is definitely the best way to go,
I've recently set this up with a customer using the Tunnel Interface with Policy based routing (not VPN Tunnel Interface), for the two Internet connections you will need 4 policies for complete redundancy, like the example below, you would need to name them accordingly so they make sense e.g. Policy 1 you could name Local( site name ) X1 to Remote ( site name ) X1,
you would then need to set up 4 routes in the routing you can do this individually or use the Multipath routing. (you will need to replicate this on all the sites in the same order) this example below is just for 1 local site to the remote site using both the WAN Interfaces,
ideally you need to write it all down so you don't get confused as in your example you are going to need X4 policies on each remote site and then for the site ASC you will need to create X24 policies to cover the individual site to site VPN with their failovers
Policy 1 :X1 to X1 - Primary Route (this policy will be used if X1 on both the local and the remote side are available)
Policy 2 :X1 to X2 - if X1 on the remote network goes down it fails to this route (Policy 2)
Policy 3: X2 to X1 - if X1 on the Local device goes down it fails to this Secondary Route (Policy 3)
Policy 4: X2 to X2 - if X1 on the local device is down and also X1 is down on the remote device it fails to this (Policy 4)
preston
Re: VLAN over VPN Configuration
If you want to carry the actual VLAN tagged frames, ie L2 traffic across a VPN, then no, you cannot bridge L2 networks over VPN with Sonicwall.
If you just want multiple networks to be able to reach each other across a VPN, then yes, that's straightforward enough, per MUSTAFAA's post.
Re: VLans Not Working
Thank You @Arkwright
I have moved my search to my servers and getting them to see the VLAN ID.
Zyxian
Re: Loopback NAT Rule not necessary any more with SonicOS7?
@Teleporter Loopback NAT Rules are still needed, if the original NAT Rule does not cover everything like in your Case (Ingres/Egress: Any, Orig Source: Any).
But as always, NAT Rule is not enough, a respective Access Rule is needed as well, like LAN (or Any) -> DMZ with Destination X1 IP.
In your case it sounds like LAN-LAN traffic which is IMHO allowed per default.
Nevertheless it's not a good idea to publish Services from the LAN zone, that's what DMZs are for, IMHO.
--Michael@BWC
BWC
Re: TZ 270W functionality question (certificate based access management)
I think this is a task to be handled at switch-level.