Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

Unexplained change to NSM zero-touch FQDN and IP

roilroil Newbie ✭
in Entry Level Firewalls

We received an unexpected NSM alert regarding one of our TZ 470 firewalls. The alert says that the device configuration was changed locally and that the firewall and NSM needed to be synchronized.

No one made a local change, so I logged in to NSM and pulled the diff to review the changes. There were two:

  1. Changed the name of a spyware rule from "SupremeSpy" to "XPCSpy"
  2. Changed the FQDN and IP of the zero-touch server

The first change seems innocuous and probably wouldn't affect much since it's just changing the rule's name, not the substance of the rule.

The second change, however, is strange. The FQDN (nsm-uswest-iczt.sonicwall.com) is on the list of FQDNs that SonicWall publishes, but the IP address (52.36.113.220) is not. The FQDN doesn't resolve to that IP address, either. The IP address belongs to Amazon EC2 (like the previous IP address in the configuration), but that's not a closed ecosystem and could be used by bad actors.

I have not synchronized the change yet because I'd like to know if that IP address is a legitimate IP address that SonicWall uses.


Any ideas?

Category: Entry Level Firewalls
Reply

Answers

  • Options
    dpreshawdpreshaw SonicWall Employee

    Hello,

    For the second change, this is an update made to the ZeroTouch service used for communication between the Firewall and NSM.

    Both the FQDN and IP are legitimate for the SonicWall service. There may have been updates to DNS since you posted the question.

    Here is the current info from nslookup:

    image.png

    Hopefully this answers your question.

Sign In or Register to comment.