Best Of
Re: SonicOS Firmware 7.1.3 or wait for 8.0?
I asked my Account Manager what the meaning of the last security alert (issued January 29) was. Her take was simple: every 7.0.1 should be running the latest 7.1.3 firmware (unspoken was the need to suffer through any problems) or turn off SSL VPN altogether.
The 8.0 firmware is currently only available with the TZ80. The premise for that [let's put our foot in the water to see what the temperature is] device is an MSP is going to purchase it (for $99) and then invoice the client for the appropriate security services for as long a contract term as they can get (either annually or monthly). There is little to no indication existing Gen 7 devices will - or can - be "upgraded" to enable this firmware; nor is there any hint of other Gen 8 hardware devices on the horizon (but what do i know?).
Purportedly the primary difference between the Gen 7 and 8 firmware is the ability to detect when a subscription has expired to be able to stop those services from running, effectively bricking the appliance. And allowing for resumption of service when the annual or monthly subscription is renewed.
By mid-March, I'm going to venture an update on my office TZ270W from 7.0.1 (with gobs of backups) to 7.1.3 before attempting same with my client devices.
Larry
Re: How to NAT IP 10.10.1.2 to 192.168.x.x
Have you searched the web at all?
https://www.sonicwall.com/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/170503477349850
TKWITS
2025 and here's my first snark entry
Really? MORE than a firewall?
Could it be JUST a firewall and a ridiculous subscription?
Could it be LESS than what a site needs to keep itself protected from threats?
Is this simply a money-grab on the part of SonicWall?
Who knows?
But it IS advertised on the Community page!
Disgraceful…
Larry
Re: My firewall have not problem
You should update to 6.5.4.17, limit access from WAN as tight as possible and monitor the situation again.
—Michael@BWC
BWC
Re: I have a feeling most people are configuring their SW's incorrectly
DPI and DPI-SSL are different things. DPI is what gives you all the Next-Gen Firewall features and should be enabled if you want to utilize the security services.
DPI-SSL is broadening this to SSL encrypted traffic and requires a cert in each device. So it could be said that using DPI-SSL will make it possible to inspect 90+% of traffic, only using DPI about half if that and if you disable DPI altogether you aren't doing any deep packet inspection and only using the firewall as a packet filter.
If you would do that then there isn't much sense using a Next-Gen firewall at all and you could just use some open source packet filter firewall.
Turning on "performance optimizations" or "enhanced security" affects low risk threat inspection. More speed if you don't care about low risk threats.
Re: Packet Port Number Changes on Playstation Network
Solution:
Was to raise the NAT rule priority! Something SW techs didn't even come up with.
Re: About replace "NSA2600 single ( OS 6.5.4)" to "NSA2700 HA (OS 7.0)"
@Siuren no worries, it's simpler than you might think.
- Just make sure that the NSA 2600 is running on a Firmware that is supported by the Migration tool.
- Update the new NSa 2700 to 7.0.1-5145, which is officially supported by the Migration Tool
- convert the Configuration with the Migration Tool
- Import the Configuration into your NSa 2700
- Update the NSa 2700 to 7.0.1-5161 (7.1.2 is still very buggy)
- make the few additional changes for the HA configuration
It's a pretty straight forward task.
—Michael@BWC
BWC
Re: SonicWALL TZ 215 - Configuring second public IP address from different subnet
Can you configure your new network on a second WAN interface and have the DC remote hands plug that in for you?
Sonicwall does not support alias IPs either at all or in any straightforward way, so this is probably going to be your best approach long-term.
Re: Forward Lookup "Zones" for IP's Domains through a VPN Connection - TZ470
Have you confirmed this yourself with a packet capture? Plain-old DNS is unencrypted so easy to troubleshoot with Wireshark,
Re: Best Practices for Securing Network Traffic
No expert in gaming here but I would think they have SSL MITM countermeasures in place to prevent the use of tools for cheating, so games may not work with DPI-SSL.