Best Of
Urgent Security Advisory - NetExtender VPN Client Version 10.x and SMA 100 Series
Hi All,
In the interest of consolidating updates and dispersing information quickly to our Community, we will be closing all other threads related to this Security Advisory. Please leave your comments and questions on this thread and we will ensure that as answers are provided, and validated to be accurate, we will post them here in response.
Knowledge base article: Urgent Security Notice: NetExtender VPN Client 10.x, SMA 100 Series Vulnerability | SonicWall
We are expecting an update to both the Advisory and the Knowledge Base article within 24 hours (at some point on January 23, U.S. CT)
Thanks,
Terri O'Leary
Terri
Re: Two Internet connections, Two network segments, bur different default routes.
Hello @Joseph909,
Welcome to SonicWall community.
You can use the following configuration,
1) Enable WAN Load balancing and use X1 as primary and X2 is secondary with basic failover mode
2) Create a static route to send outgoing traffic from X3 subnet to exit on X2
Please make sure you set logical probing on both the interfaces so that we can determine the internet connectivity status from either interfaces.
Result:
1) X0 exits out of X1 as that is the primary connection and if that interface fails, falls back to X2 as that is the secondary connection on WLB group
2) X3 exits out of X2 due to static routing and uses X1 if the X2 fails probing on WLB disabling the static route.
Thanks!
Re: VLAN clarification
Hello @R20,
Nice to meet you! And this is the perfect location.
In short, Yes! VLANs on a single interface can indeed communicate with one another based on what you allow via access rules.
In terms of setup, please see the following SonicWall articles. Naturally, you will need to work with your switch vendor to create the corresponding VLANs.
Kind Regards,
Micah
Re: VLAN clarification
Hi @R20 ,
SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.
Each zone has a security type, which defines the level of trust given to that zone. There are five security types:
- Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
- Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
- Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
- Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
- Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
For your scenario create a DMZ zone and create the Access rule as per your requirement.
Ajishlal
Re: Move device/product to a different tenant
Hi @R1chR,
Please follow the below steps;
Open your mysonicwall account -->Navigate to the Tenant Product and choose all tenants then select the product which you want to transfer to another tenant --> click on Transfer products.
In the pop up menu select the tenant where you want to move the product & click on Transfer.
Ajishlal
Re: Anyone else suddenly getting false positives on NordVPN?
Yes, it looks like the offending signature has been removed. Thanks!
Trevor
Re: Can't ping devices behind X0/X7 (pings forwarded but no reply back)
Hi @Healthhub,
As well as the above steps, please make sure the IPS low priority attacks is disabled. If you enable the low priority attack, ping service will get block.
Ajishlal
Re: Can't ping devices behind X0/X7 (pings forwarded but no reply back)
Hi @HEALTHHUB,
Thank you for visiting SonicWall Community.
We have often seen such scenarios and we were focused to check the default gateway on the devices that are connected to X0 and X7 interfaces along with windows firewall or client AV running on the end devices needs to be disabled to test the communication.
In your case, could you please ensure the default gateway for the devices connected behind X0 is X0 interface IP 10.5.64.1 and devices connected behind X7 is X7 interface IP 192.168.250.2? For testing, please disable the windows firewall and client AV on the end devices to check if the communication is not halted.
