Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

2FA Totally crashing anyone else'sTZ570?

ASCChuckASCChuck Newbie ✭

Firmware 7.x on TZ570

Enabled TOTP for SSLVPN and when user enables it for the first time, the network communication freezes briefly. If the user resets it quickly a few times then the ENTIRE network STOPS communicating and the physical firewall device must be unplugged. (Having a HA device does not prevent network failure and the firewall will not respond to IP traffic including admin login.)

That means a user could crash the entire network by accident or intentionally.

Anyone else use TOTP?

Category: SSL VPN
Reply

Best Answer

  • CORRECT ANSWER
    prestonpreston Enthusiast ✭✭
    Accepted Answer

    Hi @ASCChuck , there is a new version of firmware released now 7.0.1-5018-R1709, try that

Answers

  • prestonpreston Enthusiast ✭✭

    Hi @ASCChuck, what firmware are you running?

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    You should specify the sub-version of the firmware when posting. Sonicwall OS 7 has had plenty of issues up to and including the latest (7.1465).

    I use TOTP and do not have this issue on 7.1465.

  • ASCChuckASCChuck Newbie ✭

    I'm using the latest Firmware for the TZ570 (7.0.1-R1456) since the prior firmware has even more issues. Support wont even tell the developers about this issue since they can't replicate it. I will look to see if a newer version is available.

    Just be aware! I will try to get a scenario that causes the total network shutdown.

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    I would be willing to try to replicate the issue if you find the trick.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @preston thanks for the hint about the new release, checked all my TZ downloads and it is only available for the TZ 270 at the moment, YMMV.

    This will change in the next hours I guess.

    --Michael@BWC

  • prestonpreston Enthusiast ✭✭

    @BWC , Hi Michael, they should all be available already I can see all of them, if you search for the model does it show?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @preston I logged off and on again to MSW, TZ 570 download is now available, TZ 670 still missing, nother other Gen7 under control at the moment. Will give it another shot later.

    --Michael@BWC

  • prestonpreston Enthusiast ✭✭

    I had an issue a while back it showed all of them apart from the TZ570W, if I seached in the search box for TZ 570W it showed the latest

  • BWCBWC Cybersecurity Overlord ✭✭✭

    In the meantime it ascended from the depths of MSW. Maybe it was some kind of caching issue, I left the browser open and after 1 or 2 hours it appeared after hitting the refresh again, all good.

    --Michael@BWC

  • ASCChuckASCChuck Newbie ✭

    Confirmed new firmware available: sw_tz_570_eng.7.0.1-5018-R1709.bin.sig Will have to test tonight or tomorrow!

  • RinconmikeRinconmike Newbie ✭

    FYI, On my 670 with 5018-R1709 the device kept randomly rebooting. I had downgrade. It is in this post.


  • ASCChuckASCChuck Newbie ✭

    Tested and now using sw_tz_570_eng.7.0.1-5018-R1709.bin.sig and it seems to be good. TOTP Still has issues: If you enter the onetime only code as the first code, you wont have a onetime code and more importantly if you try to reset it, it gives you the SAME QR CODE and a one time code of "0" which doesn't work.

    Scenario: A user saved the QR code and a hacker hacks their PC. The user "resets" their TOTP but its NOT really reset and the hacker can still get in.

    You need to DELETE the user and that clears bookmarks and maybe other saved settings.

    But at least it doesn't crash the whole network! Yea?

  • ASCChuckASCChuck Newbie ✭

    Update.

    Even the new version, sw_tz_570_eng.7.0.1-5018-R1709.bin.sig has MAJOR issues. While SonicWALL was testing, the remote access was blocked. That means that inside users could see outside, but anyone trying to remote in got timed out. The issue is with TOTP. If you are using TOTP with RADIUS, be careful, VERY CAREFUL!

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @ASCChuck - might want to remove the "this question was answered" flag if it is not applicable...

Sign In or Register to comment.