Best Of
Re: How to route Wi-Fi guest traffic from Aruba AP 515 to SonicWALL TZ670 on separate VLAN
If your "conductor" - actually the Aruba Virtual controller or VC has a network that has a primary usage of Guest, all your clients are allocated private IP address and the VC performs the NAT translation
Unless you change the client IP assignment to network assigned, then you can Tag this to the VLAN for your X:30 sub interface and create the necessary rules from the Zone assigned the X0:30
Re: Packets dropping all of a sudden, starting to go mad
AFAIK, "cache add cleanup drop the packet" is when the connection was closed but one side or the other keeps talking. The further responses are dropped, because the connection is gone.
Are you monitoring quality of this connection? Is it likely that this is caused by serious jitter?
When you say "use the VPN client" do you mean, the user VPNs to your office then connects across the site-site? Or are they VPNing directly to where this is hosted?
Re: Limit Server Internet Access to Specific IP Range
Rules are processed top to bottom, first match wins.
Create a rule allowing what you want to allow. Create a rule blocking what you don't want to allow. Re-order the rules to suit.
Re: Migration from SonicWall
@khodgson_bts login via SSH to the NSA 4600 and do the following
no cli pager session configure show current-config
If you dont wanna connect via SSH you can download the TSR from the Diagnostics page which contains the config as well.
At least you can see in clear text what is configured and can work your way up.
--Michael@BWC
SonicWall's New SecureFirst Partner Program
SonicWall recently announced the introduction of its newly enhanced SecureFirst Partner Program to its existing and prospective North American customers, which is a culmination of actively listening to its partner community and implementing requested and recommended changes.
Incorporating invaluable feedback from across the partner community, SonicWall’s development of the new partner program focuses on key areas that matter most to MSPs and MSSPs. Those include:
- Simplifying Business: Partners can get started accessing SonicWall partner benefits without having to dive into training or business planning commitments.Providing a range of flexible options, partners can tailor the collaboration to suit its specific needs and experience the recent enhancements to the partner portal.
- Enhanced Flexibility: New procurement options that fit both business and customer needs — whether that’s through prepaid subscriptions offered at a discount, or our no-commitment monthly service provider model.
- Personalized Dedicated Support: SonicWall knows how important technical support is to our partners and customers. One key aspect of the program is providing direct, immediate access to level 2 or tier 3 agents.
- New Tiered Tracks: Tiered tracks will be used to accommodate varying business sizes and objectives. This will include an introduction of two distinct tiered tracks — Velocity and Mastery. Velocity will be offered to partners looking to engage with minimal requirements, while Mastery partners will receive all incentives, resources and benefits.
- Unbeatable New Business Investment: Customer acquisition is costly, and SonicWall is prepared to share those costs via aggressive discount levels for any new accounts. These discounts are available for ALL tiers, empowering each of our partners to pursue new business opportunities with a competitive edge.
- Exclusive Access to Learning Tools: SonicWall University offers flexible training options designed for professionals on the go. Partners can learn to position, sell and deploy the SonicWall portfolio with product-specific courseware, specializations and industry-recognized certifications.
To learn more visit: https://www.sonicwall.com/partners/
Re: Mobile Connect 5.0.14 for iOS seems to be broken
The issue is observed with Mobile Connect 5.0.14 when used in conjunction with Gen5, Gen6 and Gen7 firewalls, even with latest firmware versions. Our engineering team is working on the issue and and as a temporary measure the application has been pulled down from the App Store.
Re: Multi-Site VPN Configuration (Diagram Included)
Fully meshed [VPN tunnels between every site] will give the best performance and redundancy.
Routing all traffic via a "central" Sonicwall will be the least complex to manage, but will require capacity at that central location which then becomes a point of failure.
Swings and roundabouts. Take your pick.
Re: Probing failure on NAT static ip/WLB Resource Failed
I suggest you monitor the firewall remotely [eg Pingdom, F8lure] and see if it matches up with what the firewall says. I've never known F&LB monitoring to lie - when it says a target is down, it's down.
What are your probe monitoring targets? With one large site [8k peak users] we couldn't use 8.8.8.8 as a ping monitoring target because of the volume of DNS traffic. Maybe your probe monitoring target is less reliable than your WAN. In that case, the WAN wouldn't be used, even though it's really up.
I always have two targets and tell it to fail only when both are down.
Re: SD-WAN VS Site-to-Site VPN
@MvV , what @TKWITS is referring to is like the below and is definitely the best way to go,
I've recently set this up with a customer using the Tunnel Interface with Policy based routing (not VPN Tunnel Interface), for the two Internet connections you will need 4 policies for complete redundancy, like the example below, you would need to name them accordingly so they make sense e.g. Policy 1 you could name Local( site name ) X1 to Remote ( site name ) X1,
you would then need to set up 4 routes in the routing you can do this individually or use the Multipath routing. (you will need to replicate this on all the sites in the same order) this example below is just for 1 local site to the remote site using both the WAN Interfaces,
ideally you need to write it all down so you don't get confused as in your example you are going to need X4 policies on each remote site and then for the site ASC you will need to create X24 policies to cover the individual site to site VPN with their failovers
Policy 1 :X1 to X1 - Primary Route (this policy will be used if X1 on both the local and the remote side are available)
Policy 2 :X1 to X2 - if X1 on the remote network goes down it fails to this route (Policy 2)
Policy 3: X2 to X1 - if X1 on the Local device goes down it fails to this Secondary Route (Policy 3)
Policy 4: X2 to X2 - if X1 on the local device is down and also X1 is down on the remote device it fails to this (Policy 4)
Re: VLAN over VPN Configuration
If you want to carry the actual VLAN tagged frames, ie L2 traffic across a VPN, then no, you cannot bridge L2 networks over VPN with Sonicwall.
If you just want multiple networks to be able to reach each other across a VPN, then yes, that's straightforward enough, per MUSTAFAA's post.