Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicOS 7.0

BWCBWC Cybersecurity Overlord ✭✭✭
edited January 1 in Entry Level Firewalls

Hi all,

finally I'am starting the first customer deployment of a TZ 670 and was facing an issue which has to be known. Because the lack of a public known issue list I opened a ticket for this issue, but this is a total unnecessary process for known bugs already reported.

Long story short, I'll post my sightings in this thread to maybe save others some time.

#43566630
SonicOS 7.0.0-R713
TZ 670

After every reboot the setting at Device/Settings/Administration 
"Failed login attempts before lockout" get reset to a value of 0 
which block the ability to save appliance settings.

This results "Invalid value entered for 'Failed login attempts before lockout'. 
Please enter between 1 to 99" everytime when it is not corrected before trying 
to apply any other Administration setting.

This is caused by the loss of the loginFailMaxRate Configuration value, 
which is correct in a exported configuration before the reboot, but the 
configuration after reboot has this value set to zero.

If this is something unwanted just make this post vanish.

--Michael@BWC

Category: Entry Level Firewalls
Reply
«1

Comments

  • Halon5Halon5 Enthusiast ✭✭
    edited December 2020

    Hiya @BWC ,

    Great to see some real world experience with this new OS. No doubt there will be "more to come'.

    So you reloaded the firewall from the exported config?

    Thanks!

    P.S. look's ok on the latest beta and we hadn't seen this in all the betas ..


  • LarryLarry Cybersecurity Overlord ✭✭✭
    edited January 1

    @BWC Michael, I cannot imagine why you would want to waste your valuable time on a zero generation software/hardware combination, but thank you nonetheless for trying to make things better for the rest of us.

    For my clients: I'm renewing licenses for 1 and 2 years so they expire in 2022, at which point I will first consider going to the "7" series.

  • Halon5Halon5 Enthusiast ✭✭
    edited January 1

    Hey @Larry , I get that, but the TLS 1.3 support is quite compelling.. if you are doing(or trying) DPI-SSL and all the security features it kind of rounds it out.. the beta's we have been running have been pretty stable.

    In many ways, if your not on the bleeding edge your probably not doing any security.

  • John_LasersohnJohn_Lasersohn Moderator
    edited December 2020

    Hello @BWC -

    This must have been found and fixed in a newer release than the one you are using.

    Gen7-11866 [GEN7-administrator]Cannot change 'Log out the Admin after inactivity of (mins)' value, GUI show error message 'Invalid value entered for 'Failed login attempts before lockout'. Please enter a value greater than 0'

    I just tested on a unit running a recent QA build and it does not happen anymore.


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys,

    thanks for joining the conversation. My point being, doing the same thing over and over again is a total waste. The response to my ticket from the support team was: "attach the latest TSR,exp and Trace Logs to the case.". But why should I do this? The issue is explained clearly (I put some effort into this) and it even wasn't cross referenced against the internal known bug list?

    Like @John_Lasersohn did, quick and easy. The correct answer would be "It's fixed in the next release". No time wasted on any side.

    @Halon5 I do have to set this specific parameter over and over again after every reboot. The rest of the configuration seems fine.

    @Larry I'am following the same strategy, renewing Gen6 for a year or so was the way to go. But at some point I have to decide which way to go and this project helps me on that, either way.

    Can't wait for the next Release (R873), thanks @preston for the heads-up.

    Stay safe.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited December 2020

    Hi all,

    R906 does not fix this issue. The value gets reset to zero after every reboot.

    Can be easily verified, loginFailMaxRate in the configuration file before the reboot is correct, after the reboot the value is zero, not very complicated. This raises the question if this is isolated or will other settings getting lost too?

    Well, on the bright side I did not waste my time with a known bug it seems :)

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    is it a known bug (feature) that imported certificates are not part of the exported configuration, which causes trouble when replacing a appliance.

    Tested on TZ 670, running SonicOS 7.0.0-R906

    --Michael@BWC

  • @John_Lasersohn have you heard of this before?

    🖐️ Sr. Manager, Web and Digital, SonicWall. Say "hi" by tagging me at @micah.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @John_Lasersohn, @Micah about the loginFailMaxRate this seems to be a bit more complicated, I'am currently collecting data for the support. It seems a factory reset with R713 or R906 does not cause this issue, but importing a R713 configuration from a day ago makes the issue persistent even upgraded to R906, which explains why the issues wandered from my appliance to the customer unit.

    Next test will be to downgrade to the initial release the unit came with a few days ago and do it all over. New installations do not seem to be affected.

    Still need to wrap my head around it.

    --Michael@BWC

  • Not close to a bug. The very nature of certificates is that their integrity would be compromised if it were possible to use them after moving them from one appliance to another. This is covered in a KB article.

    https://www.sonicwall.com/support/knowledge-base/sonicwall-certificates-faq/170503799242341/

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @John_Lasersohn after all these years, I never paid attention and it seems I never was in the situation where I needed to restore and having certs at the same time.

    Would be great to have an option to make a full backup, like on the SMA, including the certs as well.

    --Michael@BWC

  • Hello @BWC - I created an enhancement request for this. RFE ID #4030 - Firewall enhanced full backup, including certificates. I have no idea if this is possible, and feel free to ask me every few months here to check its status. It will not be fast for them to review, much less implement, that I know for sure.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    another gem I found is related to VPN Tunnel Interface names and Routing policies. If the interface name consists of a term of two or more parts seperated by space it cannot be selected separately any more. All interface names starting with the same term/word will be selected at once, so chose wisely. You can "work-around" this by artificially alter the name, like using underscores instead of spaces for the Interface names.

    Is this a known bug for 7.0.0-R906 already?

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭

    @BWC Thanks a lot for your updates and efforts so far with the new Gen. Can I ask how have your deployments to customers gone so far? I have a few customers who will be due a refresh and at this point I feel obliged to push them to a Gen 7 over a Gen 6.5, to give them adequate lifetime value.

    I have a few sites where the NGFW inspection is done further upstream on another appliance, so the SonicWALL is just really the hub edge device and does VPN tunnel (route based), Bandwidth management, NAT, sslvpn ..... so I can start there.

    Have you any in production yet and are there any deal breaker issues on the Gen7's, are you seeing any improvements on throughput or config improvements with the "unified" policy?

    Cheers!

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @RedNet

    I'am still waiting for the customer to have this unit deployed, got postponed due to the holidays etc. But in my opinion their is no real show stopper. Waiting for another unit for the next location, but stock seems a bit short.

    No real world values for you so far, but I do not expect any real enhancement over Gen6 security-wise because it seems to be the same with all it pro and cons. Performance will be hopefully good though.

    The UI is debateable and I will not disclose my opinion publicly at the moment. Their is no "unified" policy for the TZ appliance, maybe SonicOSX will be on on them one day, we have to see.

    Sorry to be not more helpful at the moment.

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭
    edited January 1

    Thanks @BWC , yes we have the same here with stock on these units and lead times from our reseller were always "sometime in early 2021", so another reason I haven't pulled the trigger just yet.

    You've actually highlighted a mistake in my own thinking with the unified policy, I had just assumed this was in both OS7 and OSx7. I hadn't noticed that OSx7 was another train of firmware for enterprise hardware appliances. I had incorrectly assumed it was the same firmware and just what they were calling the Gen7 virtual firewall OS version. I wonder why havent they just used the same policy architecture on both OS7 and OSx7?

    Interesting comments on the UI, its obviously trying to sit well alongside the new GUI's on MySonicwall, NSM and SMA.

    At least if the performance is there I can enable the full range security policies on all the traffic I would like to without suffering speeds, instead of being extremely selective.

    Have you noticed any real positives with the new OS and hardware?

    Appreciate your comments on this community by the way, it is very difficult to find other people who have a good level of experience and understanding of SonicWALL product to bounce ideas off and get perspective, you know how it can be with the official support channels.

    Cheers and Happy New year!

  • John_LasersohnJohn_Lasersohn Moderator
    edited December 2020

    Hello @BWC - I have seen some issues like that with the VPN pre-shared key fields not accepting spaces, so I will search for this one, which is a Tunnel Interface VPN / routing rule name issue. It may have already been found by QA. I hope to have info for you by tomorrow.

  • I am delayed until next year.

  • Thanks @John_Lasersohn. Appreciate you!

    🖐️ Sr. Manager, Web and Digital, SonicWall. Say "hi" by tagging me at @micah.

  • @BWC , If I understand you correctly, this replication means that our lab unit was taken through upgrades from an affected version. I'll try a clean boot on R906 to see if this happens.


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @John_Lasersohn

    I resetted the TZ to factory defaults (R906) and configured the Tunnel Interfaces all over and it still selects both space sperated interfaces, so it's not update related.

    --Michael@BWC

  • OK I understand now. I also found that the shared secret field didn't accept all ASCII characters like it should. I will check on the current release candidate and make sure it has fixes for both.

  • @BWC - I have tested a clean boot of a recent release candidate and found the issue still exists. I am creating a must fix for release ticket for Engineering. "TI VPN Names and how duplicate strings in them can cause failures in choosing them as Next Hop in Routing Policies" ; more news on this in a few hours.

  • I have created Gen7-20776, a ticket for Engineering.

    Gen7 TZ: Duplicate strings w/ spaces in TI VPN Names cause UI glitch in choosing Interface in Next Hop for Routing Policies

    I learned that the actual interface parameter, which cannot be two, is set to the one, but the UI shows two chosen. The TSR shows only one interface on the routing policy.

    It is still something that should be fixed. I will be testing one which will pass traffic to make sure it doesn't break that.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys,

    whenever you face the original issue of this thread

    After every reboot the setting at Device/Settings/Administration 
    "Failed login attempts before lockout" get reset to a value of 0 
    which block the ability to save appliance settings.
    

    it is (again) under investigation as JIRA Gen7-11866, thats was Support reported back a minute ago.

    Importing a configuration inherits the problem even to a R906 Firmware appliance, which is funny (your sense of humor may vary) and strange at the same time.

    --Michael@BWC

  • Paul_ReidPaul_Reid Newbie ✭
    edited March 19

    Interesting. My comment got deleted, it looks like. That's...annoying.


    I was relaying our experience with the new OS from the perspective of a partner of over 20 years. It's not like we don't know the products and what they should behave like. We're just finding quality is becoming a serious problem with the newer products - namely SonicOS 7 issues and Email Security x64 crashing issues. It's frustrating for us and our customers.


    Now I wonder how many other comments that weren't all roses and rainbows got deleted, as well. It's a bit unsavory.

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @Paul_Reid

    Now I wonder how many other comments that weren't all roses and rainbows got deleted, as well. It's a bit unsavory.

    Their forum, their rules. But I do understand your concern.

    Others have mentioned a number of shortcomings related to hardware and software. I've even written extensive emails to a director of product management. I'm not certain the vocal few here have sufficient sway to affect the corporation as a whole.

    Clearly some groups are making design decisions, and some groups are translating that into code, and some other groups are implementing that code. But the strenuous/rigorous testing that should be taking place does not seem to be evident in the released products. And that's what we see because we - and our clients - are on the front line with this stuff...

  • Paul_ReidPaul_Reid Newbie ✭

    Yes, I agree. It's their forum, their rules. It just surprised me that they'd delete a comment that was honest, but not really positive about the new products. I suppose I was kind of hoping that maybe the powers that be might see that people are having issues and take some action before partners jump ship to other vendors. We have been a solid supporter of Sonicwall for decades. Every one of our clients has their products - in fact, it's a requirement when onboarding a new client that they replace whatever they are using for a firewall with a Sonicwall.


    I believe you're right - there are some poor decisions going on. Sonicwall has a reputation for being very reliable, which is being damaged by these newer products. I've seen some pretty negative comments toward Sonicwall as a whole in my IT based groups lately, which is disheartening. We're likely going to adopt the same approach some of the others here have been using and just renewing the current gen 6 stuff for as long as possible, and hope the gen 7 stuff gets sorted out by the time we get to a place where renews aren't sensible on the gen 6 devices.


    Unfortunately, many of my clients are upgrading to fibre here, with our telco rolling out a $5B initiative to get fibre everywhere, which is prompting the need to upgrade hardware to handle the new speeds - which drives us to the gen 7 stuff, whether we want it, or not. The last gen 7 firmware is from December 8. That's a long time to be living with silly bugs and no updates. You'd think that early on, there'd be rapid releases to address problems as fast as possible - but that doesn't seem to be happening. :(

  • BWCBWC Cybersecurity Overlord ✭✭✭

    7.0.1-R1262 got released today, but I need to check first if it improved or not, hope for the first.

    --Michael@BWC

  • RobWRobW Newbie ✭

    Having many issues with the new firmware...

Sign In or Register to comment.