Best Of
Re: VLans Not Working
Thank You @Arkwright
I have moved my search to my servers and getting them to see the VLAN ID.
Re: Loopback NAT Rule not necessary any more with SonicOS7?
@Teleporter Loopback NAT Rules are still needed, if the original NAT Rule does not cover everything like in your Case (Ingres/Egress: Any, Orig Source: Any).
But as always, NAT Rule is not enough, a respective Access Rule is needed as well, like LAN (or Any) -> DMZ with Destination X1 IP.
In your case it sounds like LAN-LAN traffic which is IMHO allowed per default.
Nevertheless it's not a good idea to publish Services from the LAN zone, that's what DMZs are for, IMHO.
--Michael@BWC
Re: TZ 270W functionality question (certificate based access management)
I think this is a task to be handled at switch-level.
Re: MAC address filter for the wired LAN
You could disable general DHCP and just create static entries for the MACs you want to allow. But the question doesn't make sense in the context of a Sonicwall TZ270, it's not a switch and you're not going to "protect the LAN" from there.
Re: TZ270W - Does port redundancy need specific setup ?
That linked article says it's not supported on TZ series so don't know how you think you're going to get it working.
TZ series does support Portshield though, have you tried that?
Re: Migrate from NSA2600 to TZ370 not supported by Migration Tool -- options?
@heritage - but if you move to another vendor, guess what? You are going to have to manually program that new device - from scratch - often in a way that is not as intuitive as the one that SonicWall provides.
And for you to point out the Secure Upgrade data sheet as misleading is quite the stretch. That device replacement program says if you have that old device, you can get this new device. The last page even offers services (at additional cost) to help you make the move. You could have taken advantage of that approach. It would work and you wouldn't have any issues at all with the migration tool...
Re: upgrade Firmware on a High Availability (Hardware Failover) Pair - SonicOS 6.5
@katsogiannis depending on your WAN Interfaces you might experience a drop of a few packets. Stateful-HA needs to be licensed to have a smooth transition.
If you're running something like PPPoE on your WAN interface it might take a while to reconnect, these connections are not synced..
--Michael@BWC
Re: TZ570 answering on WAN gateway address
Do a packet capture, do you see packets leaving the interface with a source IP of .9?
If yes:
It's a config issue on your firewall.
If no:
Whatever is upstream of you is NATing your traffic to .9
Re: TZ670 Random Reboot on 5095
on my case with 5095, support noted per the logs, the "Firewall Reboot is due to DP-engine similar to issue reported on GEN7-37134, this has been fixed on latest version 7.0.1-5111 version"
The 5111 Release Notes lists GEN7-37134:
"GEN7-37134 Under some conditions, the Content Filtering Service (CFS) DNS reply handling and request time can trigger conflicts in the handling of cache timers, causing the device to restart."
Re: Dynamic Port Assignment with an NSA2650
In a packet capture, you are looking for what is being dropped by the firewall. Look at source/dest ip/port combination, amend firewall rules to match. Dropped packets are highlighted in red.
I need the same response available to clients on the Internet (WAN) when accessing our DMZ ftp server
....
So, I set up another Access Rule from DMZ to WAN, Source Port: Any, FTP high end ports (50,000-65,535), Source: DMZ_ftp_service, Destination: Any.
Sounds to me like you have this backwards. You need a WAN to DMZ rule, not DMZ to WAN.
And yes, you do need to consider NAT policies for inbound connections.....but with this object-based firewall policy stuff, generally speaking, I use the same service objects in the access rule and the NAT policy. When I discover I need to add these ports to some port forward I did 6 months ago, all I am doing is adding more services to the service group that is in use on the access rule and the NAT policy, so only one change to make.