Unexplained change to NSM zero-touch FQDN and IP
We received an unexpected NSM alert regarding one of our TZ 470 firewalls. The alert says that the device configuration was changed locally and that the firewall and NSM needed to be synchronized.
No one made a local change, so I logged in to NSM and pulled the diff to review the changes. There were two:
- Changed the name of a spyware rule from "SupremeSpy" to "XPCSpy"
- Changed the FQDN and IP of the zero-touch server
The first change seems innocuous and probably wouldn't affect much since it's just changing the rule's name, not the substance of the rule.
The second change, however, is strange. The FQDN (nsm-uswest-iczt.sonicwall.com) is on the list of FQDNs that SonicWall publishes, but the IP address (52.36.113.220) is not. The FQDN doesn't resolve to that IP address, either. The IP address belongs to Amazon EC2 (like the previous IP address in the configuration), but that's not a closed ecosystem and could be used by bad actors.
I have not synchronized the change yet because I'd like to know if that IP address is a legitimate IP address that SonicWall uses.
Any ideas?
Answers
Hello,
For the second change, this is an update made to the ZeroTouch service used for communication between the Firewall and NSM.
Both the FQDN and IP are legitimate for the SonicWall service. There may have been updates to DNS since you posted the question.
Here is the current info from nslookup:
Hopefully this answers your question.