Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

CSC-MA / NSM - really ready for prime time?

BWCBWC Cybersecurity Overlord ✭✭✭
edited October 2 in Capture Security Center

Hi guys,

I'am struggling with CSC-MA, I wanna seriously give it a try, but it bugs me so much by just not working as supposed to be.

Today I thought I upgrade my TZ 400 to via CSC-MA (1.7.1) to check how this works. Well, the upgrade worked, but CSC-MA is not showing the new version and the log complains about an error, which can't be right, because my TZ is updated.

I can't rely on a central management which just causes more confussion. And the best part, CSC-MA is still trying to upgrade my TZ which caused multiple reboots. Deleted the "unfinished" task manually.

What's the general experience with CSC/NSM? I really hope for the best with NSM 2.x, but at this point for me it's not ready for prime time.


Category: Capture Security Center


  • LarryLarry Enthusiast ✭✭


    When I was told that CSC was the way to go forward back at a SW presentation locally here in NJ at the start of the year, I went out and purchased licenses for my clients machines. Implementing the licenses and getting the devices working took half a dozen tickets and almost a month before things were working properly. Time sucked down and wasted was enormous.

    The web interface requires constant clicking in areas that are not intuitive, nor straight-forward.

    I've already thrown up my opinion of the NSM interface as a gamer's coding nightmare, but it is going forward nonetheless - with even more indiscriminate clicking to achieve a task. I am hoping - merely hoping - that the ability to use Templates will far outweigh the burden of working with the UI.

    But like all of SW's efforts, the first one is... what's that frequent Microsoft quote.... Oh yeah, "Sometimes when you're on the bleeding edge, you end up bleeding."

  • dpreshawdpreshaw Newbie ✭


    At a very basic level, the task in CSC-MA is functioning as expected. By that, all I mean that the following is occurring:

    1) Task is created in CSC

    2) Task is executed by CSC (and firmware is actually upgraded)

    The issue here comes with the response seen from the unit. In this case, the response is:

     Response: Response file null is not available.

    Since the result of this task as received at CSC is not "Successful", the task is put in queue to be executed again. At a glance here the issue appears to be the response sent from the firewall, not so much the behavior seen at CSC. We would obviously have to troubleshoot further to identify the exact response sent by the firewall and verify CSC will interpret this response as expected to determine if a final fix would be required by CSC or further versions of firewall firmware.

  • Halon5Halon5 Newbie
    edited October 5

    Hey @BWC , @Larry , @dpreshaw ,

    With no reporting included, hardly a replacement for GMS, and from what I can see all the usual UI quality issues are there. Further, there is no path announced for perpetual license holders. SW don't care?



    Just started working with CSCMA over the past month and it's just as bad as GSM7.X. Slow, unintuitive, and overly complex. Doesn't seem to be well designed for multiple administrators. Getting me the correct permissions to do anyting was pain enough. Even though my boss' account and my account have the same permissions and admin levels I still do not have the same access.

    Weve been using Sonicwalls for ~15 years, GSM was still an experiment (in my eyes) when we attempted to use it 6 years ago. Gave that up after a year. What little we got out of it wasn't worth the hassle.

    CSCMA is probably pretty good when its a fresh and clean set up. The documentation is barely accurate since its based on GSM7, the videos are poorly done. The getting started guides aren't much help, they explain a little but not enough.

    Like everything programming these days I'm sure CSCMA is under (fr)Agile development, so itll get better in probably 6 months.

    A step-by-step guide to getting other admins configured properly, first tenants configured, setting up ZeroTouch templates, change order workflow, and finally configuration management would be nice. Im not holding my breath.

    Since CSCMA was decided on as part of our solution set I will have to leg it out.

  • The NSM is on Livedemo.. Sadly looks more "Groundless" than boundless. Trying to figure out whats going on in your customer environment without any reference to the named devices is going to be tough, not "easy" as the marketing would suggest. Just more of the same.... Looks like they can do it Dashboard => Topology, just don't anywhere else. ...Oh that's right they want to sell you something else so you can see your own stuff... errr Analytics.. ? LOL.

    Does a great job of providing an inventory for billing though...


    Had an interesting discussion with Sonicwall today after our month of purgatory. I will try to be brief.

    CSCMA is NOT the same as NSM. Apparently CSCMA is version 1.7 of their cloud management offering. NSM is version 2.0.

    CSCMA cannot manage the latest and greatest firewalls including the TZ570. Don't even bother (thus purgatory).

    Sonicwall is slowly migrating all CSCMA managed firewalls to NSM, but there is no way to tell when yours will be done and they don't know either.

    The fastest way to get your devices into NSM: (Warning these changes may break something, I did this with a non-production device)


    Previously administered in CSCMA:

    In MySonicwall (new UI) \ My Workspace \ Tenant Products; click the serial number of the appropriate device to expand the product details; change the 'Managed By' option to 'on-box' and confirm the change with the green checkmark; you should get a success message; wait a few minutes. Click the vertical dots for the Actions menu, click to delete the product, select 'Other' as the reason, enter 'reregister' or similar as the answer, and confirm. Wait ten minutes.

    In MySonicwall (new UI) \ My Workspace \ Dashboard; click the oragne 'Create Tenant' button along the top right. Enter your new tenant name (e.g. Company Name NSM) and confirm with the green checkmark. (Add the correct user groups if applicable to your situation).

    In MySonicwall (new UI) \ My Workspace \ Register Products; select the newly created tenant; enter the unit serial number, authentication code, and friendly name; click the orange 'Choose management options' button along the bottom. THIS IS THE IMPORTANT PART. Verify the 'Cloud' option is marked, enable ZeroTouch, and select the appropriate data center name followed by NSM (e.g. NorthAmerica-NSM). DO NOT SELECT ANY OPTIONS ENDING WITH CSCMA! ONLY SELECT NSM OPTIONS! Click Done.

    The next time you enter the Capture Security Center make sure to click the Refresh button next to the tenant drop down otherwise your new tenant won't show up. Select the newly created tenant from the drop down and, finally, click the Network Security Manager icon. This will take to the new NSM.

    Previously registered but not administered in CSCMA:

    You do not need to delete and re-register the unit. You only need to create the new tenant and move the unit into the new tenant. If the unit has valid licensing you will be prompted to select the appropriate data center. ONLY SELECT THE NSM OPTIONS!

    The TRUE NSM is actually in line with the Gen7 SonicOS interface. Hope this helps.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @TKWITS

    holy moley, thanks for pointing that out, at least for me. I have no intention to jump to all of these hoops to convert manually from CSC-MA to NSM, it's just ridicules. But for others that's a great step by step instruction.

    Will give NSM a try whenever SNWL feels I can just use it, hopefully it's before the subscription expires.


  • LarryLarry Enthusiast ✭✭

    Jumping back in time a bit. @dpreshaw , not to blunt this in any way, but...

    We would obviously have to troubleshoot further to identify the exact response sent by the firewall and verify CSC will interpret this response as expected to determine if a final fix would be required by CSC or further versions of firewall firmware.

    Stretching my memory quite a bit, it is my understanding is that within any SDLC, the development-side use cases should have been built during system design - long before implementation, and should have included THIS EXACT SCENARIO. Someone should have had an instance to answer the question: What happens when the link between the FW and CSC has gone into a loop? It should have been considered. It should have been tested. And it should have been resolved at the time.

    How is it possible that months after release, you are first finding this aspect is missing?

Sign In or Register to comment.