Best Of
Re: TZ400 SonicOS API - SSL Certificate
Hello @G_Hosa_Phat,
You didn't overlook this endpoint. The root cause has been reported to Engineering. The 6.5.4.8 API documentation link is redirecting to the SonicOS 7.0.1 API documentation so we were looking at the wrong information. The link I provided in my previous post correctly loads the Gen6 API documentation.
Jaime
Re: TZ400 SonicOS API - SSL Certificate
I just tested this on both Gen6 and Gen7. On the Gen6 6.5.4.8 firmware release, I am getting the same 400 Bad Request response with the "API endpoint is incomplete" message. I did some research and could not get it to work. On the Gen7 7.0.1 release, I am able to successfully export the CSR.
EDIT: I filed a report with Engineering regarding this API endpoint on 6.5.4.8.
For the step of importing the signed certificate, please take a look at this thread:
Jaime
Re: TZ400 SonicOS API - SSL Certificate
In my experience, the API follows the CLI command structure very closely, so you might find the CLI documentation and CLI help menus and auto-completion/tabbing to be helpful. I haven't actually looked at the CLI documentation for certificates, and it is my first time looking at generating a CSR using the API. Personally, when I run into an issue like that where I get syntax or schema validation errors, or "no command found" type of errors, I'll hop into an SSH or console session and follow the CLI command structure of what I'm working on. That's actually how I determined that the country needed to be "United States" and not "US".
Jaime
Re: TZ400 SonicOS API - SSL Certificate
Hi @G_Hosa_Phat,
I tested this out and have a solution for you. Check out the items below and the correct JSON to use.
- The country name (not abbreviation) is expected. It will fail if the country name isn't in the list of expected names. The API is very similar to the CLI so sometimes the CLI can provide hints where the Swagger documentation does not.
- Don't include the elements that will be null. Notice the JSON below does not include the optional SAN, or the last two configurable elements of the CSR.
- The signature algorithm expects "md5", "sha-1", "sha-256", "sha-384", or "sha-512". The POST will fail if the signature algorithm is not one of the expected strings.
Please use the following JSON in your POST:
{
"certificates": {
"generate_signing_request": [
{
"alias": "test_csr",
"distinguished_name": {
"element1": {
"country": "United States"
},
"element2": {
"state": "StateName"
},
"element3": {
"locality": "City Name"
},
"element4": {
"organization": "My Company Name"
},
"element5": {
"department": "Information Services"
},
"element6": {
"common_name": "test.mydomain.com"
}
},
"signature_algorithm": "sha-256",
"key": {
"type": "rsa",
"size": "2048"
},
"generate": true
}
]
}
}
Jaime
Re: Cloud Backup Status Report
Hi @GBARSKY,
Thank you for visiting SonicWall Community.
Not that I'm aware of. Even in NSM, you can schedule backups for each firewall and can see the status of each but cannot get a report of entire.
Re: I have SMA 1000 series appliance. ConectTunnel msi dowlnoads not available
The MSI installers show this way in 12.4.1 and not in earlier firmware.
In a CMD window, you can extract the MSI from the legacy EXE installer:
ConnectTunnel_Legacy_xx_en-12.40.494.exe -expand=<path>
You can also use the Modern Connect Tunnel EXE (MCT aka Connect Tunnel for Device Guard or DGCT) to do automated installs following the KB:
........Michael
Simon
Re: DHCP reservations for SMA clients
Hi @Pjohnson ,
Hmm got the pain point. In this case we cannot use the Windows DHCP server for reserving the IP for client but we can resolve this issue with LINUX based DHCP Server.
In Linux based DHCP Server, you can reserve IP in DHCP pool by hostname & not required MAC address.
For Example you have to configure the Linux DHCP Server as same as below for reserving the IP based on the host name.
# dhcpd.conf
#
# Sample configuration file for SMA dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# option definitions common to all supported networks...
option domain-name "test.local";
option domain-name-servers 8.8.8.8;
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
authoritative;
class "test1" {
match if ( option host-name = "test1");
}
class "test2" {
match if ( option host-name = "test2");
}
class "test3" {
match if ( option host-name = "test3");
}
subnet 192.168.0.0 netmask 255.255.0.0 {
option routers 192.168.0.1;
pool {
allow members of "test1";
range 192.168.1.1 192.168.1.1;
}
pool {
allow members of "test2";
range 192.168.1.2 192.168.1.2;
}
pool {
allow members of "test3";
range 192.168.1.3 192.168.1.3;
}
}
Ajishlal
Re: Auto Negotiate Speeds WAN
Are you using Cat5e or greater cable? Other than that no, not on your end. Are you sure the ISP device is capable of 1Gbps?
TKWITS
Re: High Availability Unit
No problem, the reason, it doesn't work with built-in wifi is because both radios would be broadcasting and if it connected to the secondary appliance's radio you wouldn't be able to get to anywhere,
also with TZ's you may need to enable HA with Portshielding which is in the Diag page - take everything out after m/ and put diag in like m/diag, select internal settings, then search for (ctrl+f) portshield, you might as well enable the Native bridge option also then select Accept and exit Internal settings.
N.B. this option works but first you will need to un-portshield any interfaces already portshielded, then enable HA, then re-enable the portshielded Interfaces if needed after HA is setup.
preston
Re: Mobile broadband connection on NSA 2700 for Internet failover
Hi @westtechllc , in my exerience it is best to use a third party modem for the 4G where you can insert the sim directly and set this up as an additional WAN Interface on the SonicWall, it also gives you the benfit of being able to use an external antenna if need for better coverage
preston