Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NSM & public WAN access

The recommendation has always been that firewall management is disabled on the WAN port, but cloud NSM requires this as VPN tunnel can't be created between endpoints.

Is the recommendation now to enable management access from the whole internet or can restrictions be setup to allow only NSM but nothing else? For example certificate based authentication.

Category: Network Security Manager
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SonicAdmin80

    MGMT access does not have to be enabled on the WAN interface CSC-MA/NSM is using a VPN tunnel for this, not the WAN IP.

    If you need access from the Internet on the MGMT for other matters, I suggest to edit the WAN-WAN HTTPS Management rule to allow only from specific source address objects. Works great if you're having static IP addresses or DynDNS objects.

    If possible, never make the MGMT interface available in the open. Just my € .02.

    --Michael@BWC

  • @BWC Does that mean that with cloud NSM the WAN access has to be open for long enough for NSM to acquire the device, then it sets up the VPN tunnel and disables the WAN management after that? Or how does it work exactly?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SonicAdmin80

    no, this is done with the magic of ZeroTouch, this needs to be enabled (IMHO it is by default), the appliance phones home and gets automatically assigned to the NSM when "Managed by" is set to cloud on the details page of your appliance in MySonicWall.

    I believe this was it, did it only once.

    --Michael@BWC

  • I wonder how it works if I manually acquire a device already setup? I guess I find out when I do it.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    It'll import the current settings, staying them synced is something I'am struggling with, but it's probably me doing it wrong.

    --Michael@BWC

  • Yes I read about that, that local modifications aren't really recommended which is a shame. But I wonder what manually acquiring does the the WAN management access and if it disables it, how does NSM communicate with the appliance.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    AFAIK it does not alter the WAN management access. ZeroTouch connects to the backend and a site-to-site tunnel gets created with some random IP addresses involved, hopefully not issuing an address conflict.

    Over this tunnel the NSM connects back to your appliance.

    I have modified HTTPS Management rules in place and it does not interfere.

    --Michael@BWC

  • SaravananSaravanan Moderator

    Hi @SONICADMIN80,

    The Communication between the NSM and Firewall(s) happens as pointed below,

    With Zero Touch enabled, the ZT client on the Firewall securely communicates to the ZT server (NSM) via MySonicWall. So, without WAN management enabled on the Firewall, the communication between NSM and Firewall gets possible. This is because Firewall establishes the communication to the NSM first as per ZT client incorporated on it and NSM comes to know about the public IP address of the Firewall.

    With Zero Touch Disabled, still the Firewall establishes the communication to NSM first based on the NSM cloud address cloud.sonicwall.com that we define in the Firewall GUI section, Appliance | Base Settings | Advanced Management.

    Hope this clarifies.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • @BWC @Saravanan Ok great, so the acquisition should be quite seamless. I will be acquiring a NSv HA setup that has already been configured. Is there any risk that acquisition could cause connectivity issues?

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited October 29

    Hi @SonicAdmin80

    I wouldn't expect any connectivity issues.

    Fingers crossed :)

    --Michael@BWC

  • SaravananSaravanan Moderator

    @SONICADMIN80 - I would suggest you to ensure below points in place prior.

    • Let the Primary NSv be the Active Firewall when you wanna acquire using NSM.
    • If you are using ZT feature, ensure TCP/UDP 21021 port is opened on the Firewall ISP side both inbound and outbound directions. || (ZT communication happens on TCP/UDP 21021).

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Cheers, I'll probably do it over the weekend just in case.

  • SaravananSaravanan Moderator

    Cool @SONICADMIN80

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.