Frustrated with Tech support...
Case - 44014215
I just purchased (5) TZ670's to replace some TZ600's and a TZ400. I have one tz670 that is getting a DoS attack (Never had an issue with the tz400 at that location and the new tz670 was fine for about a week before the attack). I opened a support case 1 week ago. The office has been down. The first couple of support individuals were no help. I am not onsite and at this point the SonicWall is only accessible (WAN) for about 1 minute before I can no longer ping it. The LAN interface is accessible locally but there is only so much we can do with regard to support. It was up yesterday for over 2 hours and the senior tech support person could not figure anything out. In fact, he had it so screwed up that I had to email a prior backup and talk someone through locally to import a previous config just so we could access it again. I spoke with another senior person today, but we could not do anything as it was not accessible. It is at P2 priority. I told them to escalate it again. I am so frustrated with getting quality tech support. And I am frustrated that the SonicWall can be brought down so easy.
Looking for direction - has anyone else been in a similar situation with a DoS?
First off, some questions:
Have you updated your Gen 7 devices to the most recent firmware level before deploying them in the field?
And have you established the settings in your new Gen 7 devices based on this article?
In the midst of a mess that's knocking a device down, doing either one is going to be difficult. But if - as you wrote - the TZ400 worked, it just may mean a truck roll to place that back into production while you try to establish the new one as a stable device.
I'll admit, even the second level support should have helped assist you with the KB settings. But I'm not going to speak to whatever else is going on with the escalation of the case.
Yes, it is running the latest firmware - in fact they sent me a more recent beta one, but I have not had a chance to update it yet. I have not looked at that KB - but I would assume that senior level support tried everything in their yesterday (may be wrong assumption). I have since had the ISP change it from a static IP to a dynamic one and of course everything is working fine. This is only a short term fix - as I have 4 site-site VPN tunnels that need it to have a static IP address. I have been contact Senior Solutions Engineer who is helping me at this point.
If you are not implementing the DDoS mitigations yourself than you are just going to keep experiencing this.
From personal experience support has gone downhill in the last two years... Do not assume support has done anything productive. If you are not watching and questioning them than you'll end up as you mentioned (with a screwed up config).
@Ena @MasterRoshi @Nevyaditha
its hard to remember who is even a sonicwall employee here anymore...
I checked out the KB article - was already doing everything listed...
If you enable the PING service on WAN, then it might be ping flood attack. If you enable PING service on WAN interface disable it.
A ping flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.